MD5: 76d056eab6a7a297f4115d32d7e3fff0
SHA1: 7b35cc6a7747abb090f34c5d3df98bb90461dae8
SHA256: 2583440d195e0e4caa830e0107b5164bf2f3cab10d7873ef4544ec5c2e708a4c
SSDeep: 196608:k5pKc849z9DyR6XUEW6LZNQ3AWkaoNDGrj0fU4EDRw57qc55t:qv9z9Dy4kEvrEA1ai4j6Si7zD
Size: 8875961 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: LCCWin32v1x, UPolyXv05_v6
Company: no certificate found
Created at: 2000-06-12 06:19:17
Analyzed on: Windows7 SP1 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

%original file name%.exe:3676
SVHOST.EXE:3172
IDMSETUP.EXE:3148
KEYLOG.EXE:2452
rundll32.exe:1948
SETUP.EXE:3400

The Worm injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\System32\SETUP.EXE (1365 bytes)
C:\Windows\System32\KEYLOG.EXE (1980 bytes)

The process SVHOST.EXE:3172 makes changes in the file system.
The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\lenh[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\lenh[1].txt (0 bytes)

The process IDMSETUP.EXE:3148 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp (187 bytes)

The process KEYLOG.EXE:2452 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\Desktop\Log.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KEYLOG.EXE.lnk (865 bytes)

The process rundll32.exe:1948 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O0QB1JLE\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y2WOAHMS\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T3K3S2QD\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VQ5LGSJU\desktop.ini (67 bytes)

The process SETUP.EXE:3400 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\System32\IDMSETUP.EXE (1024 bytes)
C:\Windows\System32\SVHOST.EXE (1897 bytes)

Registry activity

The process %original file name%.exe:3676 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process SVHOST.EXE:3172 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32]
"EnableConsoleTracing" = "0"

"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\svhost_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe" = "C:\Windows\wupdate.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process SETUP.EXE:3400 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 11
39f8b9fea1a0a771737baef890fcd9b4
fd05bdf5019c4218ea56033f6fa1bd14
e505c9effa1c6fe3bb5728ebcd2abab0
db723c3085df6a5b998ac7da76b8ae6b
3c9c97b66c73826a32aa994b48d9cfa6
881f149fe9c25b3d5dc3924df259dea9
f759a6290c11536bea92776beff22f52
760304eac9dca1f2d391ad3dcb469b80
7c279ee03368b9f682c777549b5c5c06
45dc5bfc17fd6b93eded4209f199fea5
510d00f8a51a12019240640c36dc2718

URLs

URL	IP
hxxp://long.nhatnghe.vn/trojan.txt	103.27.60.195
hxxp://cehlab.info/X/lenh.txt	119.81.140.207

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile

Traffic

GET /trojan.txt HTTP/1.1

User-Agent: AutoIt

Host: long.nhatnghe.vn

HTTP/1.1 404 Not Found

Content-Type: text/html

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Date: Sat, 25 Feb 2017 17:00:03 GMT

Content-Length: 1245
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://ww
w.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://
VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content
-Type" content="text/html; charset=iso-8859-1"/>..<title>404 
- File or directory not found.</title>..<style type="text/css
">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Aria
l, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px
 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:
1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;
color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 
2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..backgr
ound-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...c
ontent-container{background:#FFF;width:96%;margin-top:8px;padding:10px
;position:relative;}..-->..</style>..</head>..<body&
gt;..<div id="header"><h1>Server Error</h1></div&
gt;..<div id="content">.. <div class="content-container">&
lt;fieldset>..  <h2>404 - File or directory not found.</h2
>..  <h3>The resource you are looking for might have been rem
oved, had its name changed, or is temporarily unavailable.</h3>.
. </fieldset></div>..</div>..</body>..</htm
l>....
<<< skipped >>>

GET /X/lenh.txt HTTP/1.1

User-Agent: AutoIt

Host: cehlab.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT

Content-Type: text/plain

Content-Length: 0

Date: Sat, 25 Feb 2017 17:14:27 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content
-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:27 
GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive..
....


GET /X/lenh.txt HTTP/1.1

User-Agent: AutoIt

Host: cehlab.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT

Content-Type: text/plain

Content-Length: 0

Date: Sat, 25 Feb 2017 17:14:32 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content
-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:32 
GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive..
....


GET /X/lenh.txt HTTP/1.1

User-Agent: AutoIt

Host: cehlab.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT

Content-Type: text/plain

Content-Length: 0

Date: Sat, 25 Feb 2017 17:14:38 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content
-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:38 
GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive..
....


GET /X/lenh.txt HTTP/1.1

User-Agent: AutoIt

Host: cehlab.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT

Content-Type: text/plain

Content-Length: 0

Date: Sat, 25 Feb 2017 17:14:43 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content
-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:43 
GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive..
....


GET /X/lenh.txt HTTP/1.1

User-Agent: AutoIt

Host: cehlab.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT

Content-Type: text/plain

Content-Length: 0

Date: Sat, 25 Feb 2017 17:14:49 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content
-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:49 
GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive..
....


GET /X/lenh.txt HTTP/1.1

User-Agent: AutoIt

Host: cehlab.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT

Content-Type: text/plain

Content-Length: 0

Date: Sat, 25 Feb 2017 17:14:54 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content
-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:54 
GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive..
....


GET /X/lenh.txt HTTP/1.1

User-Agent: AutoIt

Host: cehlab.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT

Content-Type: text/plain

Content-Length: 0

Date: Sat, 25 Feb 2017 17:14:59 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT..Content
-Type: text/plain..Content-Length: 0..Date: Sat, 25 Feb 2017 17:14:59 
GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connection: Keep-Alive..
....


GET /X/lenh.txt HTTP/1.1

User-Agent: AutoIt

Host: cehlab.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Last-Modified: Wed, 22 Feb 2017 18:33:21 GMT

Content-Type: text/plain

Content-Length: 0

Date: Sat, 25 Feb 2017 17:15:05 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: Keep-Alive
HTTP/1.1..

The Worm connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

SSh8*

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

IIIIIB(II<.Fg

7?_____ZZSSH%

~P.rU3

%sQ6*

x.ww3

.TBj|qx0qoez

8 >.Up

e%X*b

40.Qa

-MeA.Ll

.Pxx)^

.AXL{

%F$-{

.fQ6N

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

> >$>(>=>

5o6q6

6!6%6)6-616

343C3n3v3}3

:&:*:.:2:

4#4'4 4/43474;4

<$<,<4<<<\=

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Windows\system32\KEYLOG.EXE

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

SVHOST.EXE_3172:

.text

`.rdata

@.data

.rsrc

@.reloc

SSh8*

PSSSSSSh

Gt.Ht$

t.jGZf;

PSSShl

PVSShl

j.Zf;

;K|s%f

?#%X.y

GetProcessWindowStation

operator

kernel32.dll

oleaut32.dll

RegDeleteKeyExW

advapi32.dll

Error text not found (please report)

operand of unlimited repeat could match the empty string

POSIX named classes are supported only within a class

erroffset passed as NULL

POSIX collating elements are not supported

this version of PCRE is compiled without UTF support

PCRE does not support \L, \l, \N{name}, \U, or \u

support for \P, \p, and \X has not been compiled

this version of PCRE is not compiled with Unicode property support

\N is not supported in a class

WSOCK32.dll

VERSION.dll

WINMM.dll

COMCTL32.dll

MPR.dll

InternetCrackUrlW

HttpQueryInfoW

HttpOpenRequestW

HttpSendRequestW

FtpOpenFileW

FtpGetFileSize

InternetOpenUrlW

WININET.dll

PSAPI.DLL

IPHLPAPI.DLL

USERENV.dll

UxTheme.dll

GetProcessHeap

CreatePipe

GetWindowsDirectoryW

KERNEL32.dll

OpenWindowStationW

SetProcessWindowStation

CloseWindowStation

MapVirtualKeyW

EnumChildWindows

EnumWindows

VkKeyScanW

GetKeyState

GetKeyboardState

SetKeyboardState

GetAsyncKeyState

keybd_event

EnumThreadWindows

ExitWindowsEx

UnregisterHotKey

RegisterHotKey

GetKeyboardLayoutNameW

USER32.dll

SetViewportOrgEx

GDI32.dll

COMDLG32.dll

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegEnumKeyExW

RegDeleteKeyW

ADVAPI32.dll

ShellExecuteW

SHFileOperationW

ShellExecuteExW

SHELL32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÁ

n..GGHHH

n...GGHHH

n ....HGHHHH

n  ....G.HHH

~~~~{~{{{{

n!! ....HGHHHH

n!!  .....HHHHHH

!!!  ....GGHHH

!!"".....HHHHnv

"""...-.nv

@Þ5

zgg%U

~P].ap

.Oy^U

Jn)%u9

.ANK1

.lz C

<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

> >$>(>=>

5o6q6

6!6%6)6-616

343C3n3v3}3

:&:*:.:2:

4#4'4 4/43474;4

<$<,<4<<<\=

mscoree.dll

combase.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

USER32.DLL

>>>AUTOIT NO CMDEXECUTE<<<

CMDLINERAW

CMDLINE

/AutoIt3ExecuteLine

/AutoIt3ExecuteScript

APPSKEY

789:;<=>?

FTPSETPROXY

GUICTRLRECVMSG

GUICTRLSENDMSG

GUIGETMSG

GUIREGISTERMSG

HOTKEYSET

HTTPSETPROXY

HTTPSETUSERAGENT

ISKEYWORD

MSGBOX

REGENUMKEY

SHELLEXECUTE

SHELLEXECUTEWAIT

TCPACCEPT

TCPCLOSESOCKET

TCPCONNECT

TCPLISTEN

TCPNAMETOIP

TCPRECV

TCPSEND

TCPSHUTDOWN

TCPSTARTUP

TRAYGETMSG

UDPBIND

UDPCLOSESOCKET

UDPOPEN

UDPRECV

UDPSEND

UDPSHUTDOWN

UDPSTARTUP

SendKeyDelay

SendKeyDownDelay

TCPTimeout

WINDOWSDIR

AUTOITEXE

HOTKEYPRESSED

%s (%d) : ==> %s.:

Line %d:

Line %d (File "%s"):

%s (%d) : ==> %s:

AutoIt script files (*.au3, *.a3x)

*.au3;*.a3x

All files (*.*)

04090000

%u.%u.%u.%u

0.0.0.0

Mddddd

"%s" (%d) : ==> %s:

\??\%s

GUI_RUNDEFMSG

AUTOITCALLVARIABLE%d

255.255.255.255

Keyword

AUTOIT.ERROR

Null Object assignment in FOR..IN loop

Incorrect Object type in FOR..IN loop

3, 3, 12, 0

HKEY_LOCAL_MACHINE

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_USERS

%d/d/d

C:\Windows\system32\SVHOST.EXE

AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.

Missing operator in expression."Unbalanced brackets in expression.

Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.

0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.

Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.

Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.

3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.

Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.

String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.

IDM1.tmp_1652:

.text

.rdata

@.data

.rsrc

PSSht

PSSh|

SShX*A

PSSSSSSh!

SSSh,QA

COMCTL32.dll

SHDeleteKeyW

SHLWAPI.dll

GetWindowsDirectoryW

GetProcessHeap

KERNEL32.dll

MsgWaitForMultipleObjects

EnumWindows

ExitWindowsEx

USER32.dll

RegOpenKeyExW

RegEnumKeyW

RegQueryInfoKeyW

RegCloseKey

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

ADVAPI32.dll

ShellExecuteExW

ShellExecuteW

SHELL32.dll

ole32.dll

OLEAUT32.dll

MSVCRT.dll

_wcmdln

webHancer

New.net

\StringFileInfo\xx\FileVersion

%sLanguages\%s

%sIDM*.*

%sLanguages\inst_*.lng

version="1.0.0.0"

name="Tonec.IDM.Uninstall"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

-<6^>~>^:]6]6<2<2=6=6<2

91%2%s-

%XRp1

)<6]:~:~>~>}:}>

-V%U)

%S-q-

-w%U!3

1%S)S)

[?_?___?[

52%s-'

%S)t)S)

%s1t1

[>_?_?_?___?[

^.JsRWNR-

!%%%)%)%-

__[?[____

2_*_*_*_*

!r%3%u!

>{:[:|>;6

696:6:6:6;6;6[6[6[6[6[6\6\6[6\6[6;6

%t%s!S!R!R!R!S!s%s%

Q!R%s%s)

0!0!0!Q!S%R%s)

!V)x%x)

4%V)4!U%U%

2<6]6]6]6\6\6|6|:

.:2;6]:~>

2:6;6\:}:

>|>|:[::6

%u%u!u!U!3

12%u1

fceb7191-46c6-4fb2-bc5f-a10317cd4b1a

fc21ec12-91cc-4546-8ce9-0fea34ce5ad9

f1b17826-2437-4a4d-a9d0-97ee5c76c164

db47a145-d5cc-424d-885d-7a305ebc25b0

d177c6d9-1454-476c-bcc3-1195d036d6e0

cf2d8c1d-bb0e-4cdc-9e97-3cc6da9f48c7

cb6498f3-91f5-4e72-bdd3-35e5a6dc6d5f

851aba31-d661-4825-a37f-5bd0faeb4d88

80993b9b-0cd0-4b2d-864c-88151c635fe5

77e27bc6-988a-4b45-bdf1-85a8928f86ea

6528e7db-f86d-4398-a3df-abf0e7b70aa2

64a72197-bda2-449e-ba78-8e0335442661

205801ea-84b1-4085-b818-b1c6fb567bd7

179619ba-deeb-4436-abaf-82eeaf2f3816

144323b7-20c3-4b5f-b2a5-1cd0d6996dbc

02c1811b-6b25-416a-aca8-dc671d68056d

00645ccd-b777-44a2-9b36-1fb3f423b559

NPIDMan2.dll

NPIDMan1.dll

%sNP_IDM%d.dll

{0055C089-8582-441B-A0BF-17B458C2A3A8}

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

rIDMShellExt.dll

%s\IDMShellExt.dll

regsvr32.exe

/u /s IDMShellExt64.dll

/u /s "%s\IDMShellExt64.dll"

IDMan.exe

MozillaFirebird.exe

Mozilla.exe

SOFTWARE\FullCircle\TalkBack\%s

Software\Microsoft\Windows\CurrentVersion\Run

Software\Opera Software

MozillaFirebird

mozilla

Opera

firefox

SOFTWARE\mozilla.org\Mozilla

Mozilla

sporder.dll

\idmmbc.dll

Wrpcrt4.dll

%s%s\

%s\settings.bak

%s%sDMCache\%s

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

%s%sDMCache

fceb7191-46c6-4fb2-bc5f-000000000000

%s%sIDMShellExt.dll

/s "%s%sIDMShellExt64.dll"

%s %s

RUNDLL32.EXE

Sysnative\RUNDLL32.EXE

%s%sIDMIntegrator64.exe

SETUPAPI.DLL,InstallHinfSection DefaultUninstall 128 %s

SETUPAPI.DLL,InstallHinfSection DefaultInstall 128 %s

idmtdi.inf

idmtdi32.sys

idmwfp.inf

%s%s%s

idmwfp32.sys

\\.\IDMTDI

\\.\IDMWFP

net.exe

%s\%s

idmmbc.dll

avwebgrd

setup_error.log

Internet Download Manager.lnk

%s.lnk

%s\%s\

IDMSetup2.log

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

WVERSION.dll

%s%s%i.tmp

%s%i%s

IDM0.tmp

IDMNetMon64.dll

IDMNetMon.dll

\WinInit.Ini

Error ID: %s

%s. %s Error ID=%s

%s. Error ID=%s

It is necessary to install IDM to "%s" folder.

"%s"?

Please select "Tasks->Exit" (or "URL->Exit" for old versions) menu item in the main IDM window to close Internet Download Manager before proceeding.

The "Access denied" error occurred while copying main IDM executable file into the specified location!

Cannot install main IDM executable file! The installation cannot be continued.

Do not cancel Windows dialog of copying files

Windows will not be able to register all IDM components in folder

"%s".

An unknown error occurred while removing IDM integration from web browsers!

An unknown error occurred while removing IDM integration from %s browser. You may need to delete %s file manually

Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\

%sProgram Files\%s

SOFTWARE\Microsoft\Windows\CurrentVersion

{59FB2056-D625-48D0-A944-1A85B5AB2640}

CLSID\{0055C089-8582-441B-A0BF-17B458C2A3A8}\Implemented Categories

idmBroker.exe

Software\Mozilla

/s "%s\downlWithIDM64.dll"

/s "%s\IDMGetAll64.dll"

/s "%s\IDMIECC64.dll"

%s\idmfsa.dll

%s\downlWithIDM.dll

%s\IDMIECC.dll

%s\IDMGetAll.dll

%s\IDManTypeInfo.tlb

SOFTWARE\Classes\AppID\%s

AppID\%s

CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}

{AC746233-E9D3-49CD-862F-068F7B7CCCA4}

IDMan.CIDMLinkTransmitter

Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{F6E1B27E-F2DA-4919-9DBD-CAB90A1D662B}

IEMonitor.exe

Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}

Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}

"%s" /rtr%s%s%s%s%s

/rbmsg

/setlngid %d

/setlngid %d /fulllngfile %s

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

<DEL%s

Could not create/open registry key

%s%i="%s\

IDM2.tmp

Kernel32.DLL

VDMDBG.DLL

PSAPI.DLL

IDMIntegrator64.exe

idman.exe

{7D11E719-FF90-479C-B0D7-96EB43EE55D7}

https\

http\

IEGetVL2.htm

IEGetVL.htm

IEGetAll.htm

IEExt.htm

https

%s%sGoogle\Chrome\User Data\Default\Extensions\jmolcgpienlcieaajfkkdamlngancncm

SOFTWARE\Google\Chrome\Extensions

Software\Mozilla\SeaMonkey\Extensions

mozilla_cc2@internetdownloadmanager.com

mozilla_cc@internetdownloadmanager.com

Software\Mozilla\Firefox\Extensions

%sGrabberData\

%sDwnlData\

%s\idmpla.ini

%s\idmpldr.ini

GlobalErrors.log

UrlHistory.txt

dnlbtmn.txt

%sidmmzcc7\

%sidmmzcc5\

%sidmmzcc03\

%sidmmzcc3\

%sidmmzcc02\

%sidmmzcc01\

%sidmmzcc2\

%sidmmzcc\

scheduler.chm

defexclist.txt

%s\idmindex.dll

%s\MediumILStart.exe

%s\idmBroker.exe

%s\idmvconv.dll

%s\idmvs.dll

%s\setup_error.log

%s\IDMGCExt.crx

%s\IDMNetMon64.dll

%s\IDMNetMon.dll

%s\idmcchandler2_64.dll

%s\idmcchandler2.dll

%s\idmcchandler64.dll

%s\idmcchandler.dll

%s\idmftype.dll

%s\IDMFType64.dll

%s\IDMFType.dat

%s\downlWithIDM64.dll

%s\IDMGetAll64.dll

%s\IDMIECC64.dll

%s\IDMIntegrator64.exe

%s\idmtdi64.sys

%s\idmtdi32.sys

%s\idmwfp64.sys

%s\idmwfp32.sys

%s\idmtdi.cat

%s\idmwfp.cat

%s\idmtdi.inf

%s\idmwfp.inf

%s\idmbrbtn64.dll

%s\IDMShellExt64.dll

%s\idmcchandler7_64.dll

%s\idmcchandler7.dll

%s\idmmzcc7_64.dll

%s\idmmzcc7.dll

%s\idmcchandler5_64.dll

%s\idmcchandler5.dll

%s\idmmzcc3_64.dll

%s\idmmzcc3.dll

%s\idmcchandler3_64.dll

%s\idmcchandler3.dll

%s\idmmzcc2_64.dll

%s\idmmzcc2.dll

%s\idmmzcc2.xpi

idmbrbtn.dll

NP_IDM.dll

idmmzcc.xpi

grabber.chm

IDMGrHlp.exe

downlWithIDM.dll

idmupdt.exe

INSTALL.LOG

DelPlug.exe

UNWISE.EXE

UNWISE.INI

Uninstall.exe

IDMSetup.log

tutor.hlp

tutor.chm

tips.txt

etcprotocol.dll

nnprotocol.exe

nnprotocol.dll

idmmkb.dll

IDMGetAll.dll

IDManTypeInfo.tlb

idman.hlp

idman.chm

IDMIECC.dll

license.txt

Uninstall IDM.lnk

Grabber Help.lnk

TUTORIALS.lnk

license.lnk

IDM Help.lnk

%s%s%s%s

SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Internet Download Manager

%Program Files%\Internet Download Manager

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\setup_error.log

It is neccessary to close all web browsers before running this Setup Program. Click Next to continue installation.

Unauthorized reproduction or distribution of this program, or any portion of it, may result in severe civil and criminal penalties, and will by prosecuted to the maximum extent possible under law.

If you want IDM to take over your downloads immediately after the installation, please close all web browsers before proceeding. You may open your browser after starting IDM.

The "Default" option will delete all executive files of IDM, and the integration of IDM into browsers.

Please visit hXXp://VVV.internetdownloadmanager.com

6, 27, 1, 1

SearchProtocolHost.exe_3196:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_3036:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3676
   SVHOST.EXE:3172
   IDMSETUP.EXE:3148
   KEYLOG.EXE:2452
   rundll32.exe:1948
   SETUP.EXE:3400

2. Delete the original Worm file.
   
3. Delete or disinfect the following files created/modified by the Worm:
   

   C:\Windows\System32\SETUP.EXE (1365 bytes)
   C:\Windows\System32\KEYLOG.EXE (1980 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp (187 bytes)
   C:\Users\"%CurrentUserName%"\Desktop\Log.txt (0 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KEYLOG.EXE.lnk (865 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O0QB1JLE\desktop.ini (67 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y2WOAHMS\desktop.ini (67 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\T3K3S2QD\desktop.ini (67 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VQ5LGSJU\desktop.ini (67 bytes)
   C:\Windows\System32\IDMSETUP.EXE (1024 bytes)
   C:\Windows\System32\SVHOST.EXE (1897 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Adobe" = "C:\Windows\wupdate.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
6. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.